Talk:Internet Protocol security architecture: Difference between revisions
Jump to navigation
Jump to search
imported>Howard C. Berkowitz (New page: {{subpages}}) |
imported>Howard C. Berkowitz |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
{{subpages}} | {{subpages}} | ||
== Too many articles? == | |||
We currently have this article, [[IPSec]] which redirects here, and [[IPsec]] which goes into a lot more detail. Do we need some merging? I think there's a valid architecture/implementation distinction, so we might need two articles. However, I'm not sure the current articles fit the bill. [[User:Sandy Harris|Sandy Harris]] 04:55, 1 March 2010 (UTC) | |||
===Good point=== | |||
I don't usually think packet formats are appropriate to an architecture. From the IETF architecture table of contents, RFC 4301, major headings: | |||
3. System Overview .................................................7 | |||
3.1. What IPsec Does ............................................7 | |||
3.2. How IPsec Works ............................................9 | |||
3.3. Where IPsec Can Be Implemented ............................10 | |||
4. Security Associations ..........................................11 | |||
4.1. Definition and Scope ......................................12 | |||
4.2. SA Functionality ..........................................16 | |||
4.3. Combining SAs .............................................17 | |||
4.4. Major IPsec Databases .....................................18 | |||
4.4.1. The Security Policy Database (SPD) .................19 | |||
4.4.2. Security Association Database (SAD) ................34 | |||
4.4.3. Peer Authorization Database (PAD) ..................43 | |||
4.5. SA and Key Management .....................................47 | |||
4.5.1. Manual Techniques ..................................48 | |||
4.5.2. Automated SA and Key Management ....................48 | |||
4.5.3. Locating a Security Gateway ........................49 | |||
4.6. SAs and Multicast .........................................50 | |||
5. IP Traffic Processing ..........................................50 | |||
*Presumably transport mode gets defined here? | |||
5.1. Outbound IP Traffic Processing | |||
(protected-to-unprotected) ................................52 | |||
5.1.1. Handling an Outbound Packet That Must Be | |||
Discarded ..........................................54 | |||
5.1.2. Header Construction for Tunnel Mode ................55 | |||
6. ICMP Processing ................................................63 | |||
7. Handling Fragments (on the protected side of the IPsec | |||
boundary) ......................................................66 | |||
7.1. Tunnel Mode SAs that Carry Initial and Non-Initial | |||
Fragments .................................................67 | |||
7.2. Separate Tunnel Mode SAs for Non-Initial Fragments ........67 | |||
7.3. Stateful Fragment Checking ................................68 | |||
7.4. BYPASS/DISCARD Traffic ....................................69 | |||
8. Path MTU/DF Processing .........................................69 | |||
8.1. DF Bit ....................................................69 | |||
8.2. Path MTU (PMTU) Discovery .................................70 | |||
8.2.1. Propagation of PMTU ................................70 | |||
8.2.2. PMTU Aging .........................................71 | |||
9. Auditing .......................................................71 | |||
This, presumably, is the right level of detail, with contextualization about the non-protocol aspects. --[[User:Howard C. Berkowitz|Howard C. Berkowitz]] 09:11, 1 March 2010 (UTC) |
Latest revision as of 03:11, 1 March 2010
|
Metadata here |
Too many articles?
We currently have this article, IPSec which redirects here, and IPsec which goes into a lot more detail. Do we need some merging? I think there's a valid architecture/implementation distinction, so we might need two articles. However, I'm not sure the current articles fit the bill. Sandy Harris 04:55, 1 March 2010 (UTC)
Good point
I don't usually think packet formats are appropriate to an architecture. From the IETF architecture table of contents, RFC 4301, major headings:
3. System Overview .................................................7 3.1. What IPsec Does ............................................7 3.2. How IPsec Works ............................................9 3.3. Where IPsec Can Be Implemented ............................10 4. Security Associations ..........................................11 4.1. Definition and Scope ......................................12 4.2. SA Functionality ..........................................16 4.3. Combining SAs .............................................17 4.4. Major IPsec Databases .....................................18 4.4.1. The Security Policy Database (SPD) .................19 4.4.2. Security Association Database (SAD) ................34 4.4.3. Peer Authorization Database (PAD) ..................43 4.5. SA and Key Management .....................................47 4.5.1. Manual Techniques ..................................48 4.5.2. Automated SA and Key Management ....................48 4.5.3. Locating a Security Gateway ........................49 4.6. SAs and Multicast .........................................50 5. IP Traffic Processing ..........................................50
- Presumably transport mode gets defined here?
5.1. Outbound IP Traffic Processing (protected-to-unprotected) ................................52 5.1.1. Handling an Outbound Packet That Must Be Discarded ..........................................54 5.1.2. Header Construction for Tunnel Mode ................55 6. ICMP Processing ................................................63
7. Handling Fragments (on the protected side of the IPsec boundary) ......................................................66 7.1. Tunnel Mode SAs that Carry Initial and Non-Initial Fragments .................................................67 7.2. Separate Tunnel Mode SAs for Non-Initial Fragments ........67 7.3. Stateful Fragment Checking ................................68 7.4. BYPASS/DISCARD Traffic ....................................69 8. Path MTU/DF Processing .........................................69 8.1. DF Bit ....................................................69 8.2. Path MTU (PMTU) Discovery .................................70 8.2.1. Propagation of PMTU ................................70 8.2.2. PMTU Aging .........................................71 9. Auditing .......................................................71
This, presumably, is the right level of detail, with contextualization about the non-protocol aspects. --Howard C. Berkowitz 09:11, 1 March 2010 (UTC)